Being this is a new system, starting with the latest and greatest would be preferable. Found the issue, being that there were multiple sync agreements, there was a problem adding users to the groups. Being that the users and group sync agreements were separate, we got this error message "map_dn_values: this entry is not ours" Once we consolidated the sync agreements into 1 big sync agreement, everything seems to be happy. Thanks to Vesa Alho, who had the correct answer. Also Thanx to all for the responses. Cheers DuWayne > Our latest 1.3.1 version is 1.3.1.22: > http://directory.fedoraproject.org/wiki/Releases/1.3.1.22 > > And we fixed some windows group issues since 1.3.1.9. For instance, > https://fedorahosted.org/389/ticket/415 > https://fedorahosted.org/389/ticket/47642 > > Any plan to upgrade? > > DuWayne Holsbeck wrote: >> dpkg -l 389-ds-base >> >> >> >> 389-ds-base 1.3.1.9-0ubuntu2 amd64 >> >> >> On Mon, 2014-05-19 at 13:50 -0700, Noriko Hosoi wrote: >>> DuWayne Holsbeck wrote: >>>> I did use multiple OUs, trying to mimic the AD structurer as closely >>>> as >>>> possible. I think I tried to all in one approach, but there was some >>>> kind of issue. The MS server is 2008 R2. >>>> >>>> The DS server is version 1.3.1. >>> What is the revision #? >>> $ rpm -q 389-ds-base >>>> the attributes set on the groups are >>>> ntgroupcreatenewgroup = on, nt goupdeletegroup = on, ntuniqueid >>>> = xxxxxxxxxxxxxx, ntuserdomainid = "group name". It has the ntgroup >>>> objectClass, and a list of uniquemembers. >>>> >>>> Cheers >>>> DuWayne >>>> >>>> On Sun, 2014-05-18 at 20:42 +0300, Vesa Alho wrote: >>>>> On 05/16/2014 09:12 PM, DuWayne Holsbeck wrote: >>>>>> I have a 389 and AD servers setup, and sync agreements configured >>>>>> for >>>>>> users, and groups. The Groups synced fine, but on the AD side there >>>>>> are >>>>>> no members in the groups. I set the ntGroup objectClass, >>>>>> ntGroupType, >>>>>> ntGroupCreateNewAccount, ntGroupDeleteAccount, ntUniqueId attributes >>>>>> set >>>>>> on the 389DS side.Initial sync runs without errors. >>>>>> >>>>>> Am I missing something, or is there a trick to get the Group >>>>>> memberships >>>>>> to sync up between the 2? >>>>>> >>>>>> Any suggestions on a fix, or way to troubleshoot the issue would be >>>>>> greatly appreciated. >>>>> Did you setup a single sync agreement? I managed to get group members >>>>> working when syncing users and groups with single sync agreement. Due >>>>> to >>>>> our ldap structure, I had to create sync agreement for the whole root >>>>> suffix. >>>>> >>>>> 389: dc=domain,dc=com ==> AD: ou=ldap,dc=domain,dc=com >>>>> >>>>> Before this, I tried to sync users and groups with separate sync >>>>> agreements which didn't work. Also check you are running at least >>>>> version 1.2.11.29. I had general problems with MS Server 2012 R2 with >>>>> earlier versions. >>>>> >>>>> -Vesa >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>> -- >>>> 389 users mailing list >>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> -- >>> 389 users mailing list >>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
